Newsletter Sign-up

When a broker who handles large, corporate accounts, reflected on the idea of what's the most overlooked risk, he remarked that it's probably top management and the risk management process itself. "All too often I see the CEO who thinks he knows and understands all the risks that his company faces and then decides that any kind of ongoing risk assessment isn't worth the time, effort and expense," says the broker. Then a calamity like Hurricane Katrina hits, or a corporation's computers are hacked and business is off-line for days.

"I wonder what he's thinking when he has to sign off on the annual Sarbanes-Oxley statement that attests that he stands behind every fact and figure and understands all the risks that his company faces," the broker also says.

The idea that those responsible for the sound stewardship of a company or a public institution don't, or can't, fulfill their responsibilities is nothing new. The enemy within, either within an individual, an organization or a process, is an idea at least as old as Jesus, himself betrayed by his own apostle Judas Iscariot.

Today's most overlooked risk may well be risk management itself and an organization's ability, or lack of ability, to handle the vastly changing nature and variety of risks. In the middle of this environment sits the risk manager, the corporate professional entrusted to manage risk.

Whether risk management is overseen by a single risk manager, a team of risk managers, or a CFO responsible for the firm's risk management function, not a soul in the insurance industry would doubt that the discipline has become more complex--as dozens of companies and their senior risk managers find out with increasing frequency.

Thus, it should come as no surprise that "risk management risk" is a worthy contender for one of the most overlooked risks facing institutions today.

It's become almost a cliche, but today's risk management must consider the known risks, unknown risks and the unknowable risks. For too many companies, and their top management, this kind of issue fails to reach the C-suite.

"The degree to which individual risk managers deal with these risks depends upon the level of risk management at which they operate," says a recent report from the Risk and Insurance Management Society Inc.

The old insurance buyer won't cut it in this environment, but companies have been slow to change.

Greenwich Associates, working with RIMS, conducted the "Excellence in Risk Management" survey interviewing nearly 900 risk managers in 2005.

Sponsored by Marsh Inc., the study concluded "The new and far broader portfolio of risk is fraught with opportunity--the opportunity to take on these new issues proactively; to help management and the board devise solutions; and, in doing so, to get the company's leadership to adopt a new way of thinking about risk."

But the downside is that the penalty for ignoring risk, or managing it badly is often more costly today than it was just a few years ago, bloody uprisings within the risk management department aside, of course.

RISK MANAGEMENT TYPES

The survey found that there were three kinds of risk managers:

*"Traditional risk management involves many long-established, routine functions. These include identifying risk, using various risk-control measures to eliminate or mitigate loss, analyzing claims and claims trends and handling the details of insurance and other risk-transfer methods.

* "Progressive risk management encompasses all of the concerns of traditional risk management but adds alternative risk financing (such as self-insurance, captives and risk-capital products), business continuity planning, measure of the total cost of risk and education and communication with the rest of the organization about risk and its management.

* "Strategic risk management goes further still incorporating all the areas that fall in both traditional and progressive risk management, but adding the C-suite view of the totality of risk. The practitioner of strategic risk management views risk as something to optimize, not just to mitigate or avoid, and takes an enterprise-wide view of risk. Risk is indexed against the organization itself, year-over-year, and against competitors. Risk management information systems and other technologies play a large role in managing risk."

Corporate governance issues may well turn out to be an important factor that will cause senior management to look at these issues, and risk managers, more closely. While companies complain about the costs of implementing Sarbanes-Oxley, it has forced companies to examine their policies and practices more aggressively if only to protect senior management from potential liability.

Indeed, companies that choose to ignore management risk may face far more issues of personal liability if something goes wrong. Under existing directors and officers insurance coverage, there are emerging questions about whether the real liabilities can be covered.

But Sarbanes-Oxley may also be beneficial. The Marsh-Greenwich-RIMS survey reported that 63 percent of the risk managers interviewed said that SOX had a "beneficial impact on their companies" and that SOX had a "positive impact on risk management" and its practice.

The issue, the RIMS-Marsh survey concludes, is how well can the risk manager act as a change agent within the organization. "The challenge is that the new environment includes new areas, such as climate change and transparency, that the CFO--not to mention the board--will have to address before crises develop."

And if the risk management, in a broad sense, fails to take initiative the organization will face "significant levels of unaddressed risk and therefore, grave vulnerability," the authors of the survey write.

JACK ROBERTS is editor-in-chief of Risk & Insurance®.

May 1, 2007

Copyright 2007© LRP Publications